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1. Introductions and apologies 


1.1. There were apologies from Jane McCall, Non-executive 
Director, who was unable to attend the meeting. Jane had 
recently been appointed as a member of the Audit Committee 
and had fed her comments on agenda items in by email. 


1.2. Paul Keane was welcome to the audit committee as the 
partner in charge of the ICO and DCMS external audits. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Action points from the Audit Committee meeting of the 12 
September 


3-1, The minutes of the last meeting, agreed in 
correspondence, were confirmed as being accurate. 


3:2. Peter Bloomfield advised that the extension of the 
internal audit contract had been agreed and the variation 
agreement would, subject to any concerns expressed today 
by the Committee, be signed shortly. There would be a 
discussion on this at the end of the meeting in the absence of 
the auditors. 


3.3. Peter Bloomfield also updated the Committee on an 
outstanding action point from the last Committee meeting. 
This related to the need to re-procure the internal audit 
contract from 1 April 2018. The Governance and Procurement 
teams were both alert to the need to pick up new internal 
audit frameworks when released. 


3.4. Peter Bloomfield confirmed that the Management Board 
action in respect of directors’ responsibilities would be 
complete once the guidance for annual reporting for 2016/17 
was published. 


4. The Commissioner’s update on matters affecting the ICO. 


4.1. Elizabeth Denham provided an update on issues 
affecting the ICO. These included her recent focus on the 
relationship with government and Whitehall in respect of 
decisions around the implementation of the General Data 
Protection Regulation (GDPR). 


4.2. In addition Elizabeth Denham highlighted management 
and structural changes that were in the process of being 
made. 


4.2.1.Two new Non-executive Directors have been appointed; 
Jane McCall and David Cooke. 


4.2.2.Robert Luke had been appointed as the new Deputy 
Commissioner (Policy) with responsibility for forging links 
across government and Whitehall. He would be in post at 
the end of January 2017. 


4.2.3.Simon Entwisle, Deputy Commissioner, would be 
retiring in July 2017, and the ICO would be recruiting for 
a Deputy Commissioner (Operations) and a Deputy Chief 
Executive Officer. 


4.2.4.Elizabeth Denham was also going to appoint a General 
Counsel to provide legal advice to the Commissioner, and 
a Strategic Technology Advisor post along with expanding 
the policy teams to cope with implementation of the 
GDPR. 


It was confirmed that the new organisational structure was to 
be in place by the end of March, and that management 
responsibilities in areas recently subject to internal audit 
would generally remain as now. 


4.3. Taking work forward in the ICO the focus would be on 
building capacity around technology and assurance work and 
dealing with an expansion of staff numbers to undertake the 
increased role for the ICO under the GDPR. 


4.4. Plans for a Grants and Contributions Scheme would be 
discussed later in the meeting and the ICO was developing an 
International Strategy. 


4.5. Elizabeth Denham also updated the Committee on ICO 
action in respect of charities and their compliance with the 
Data Protection Act. 


. Risk management 


5.1. Peter Bloomfield introduced the risk register, explaining 
that two new risks in respect of GDPR and change and two 
new risks in respect of finances, had been added following 
comments made at Management Board and Audit Committee. 


5.2. The Committee raised the issue of the ICO being able to 
demonstrate it was a going concern in respect of its annual 
report and accounts. This arose from continuing uncertainty 


over data protection fee income and implementation of 
GDPR. 


5.3: This issue had been identified and discussed with the 
NAO. The Annual Report and Accounts 2016/17 would need 
to reflect the position on signing. The Committee considered 
that formally alerting the Department for Culture, Media and 
Sport (DCMS) would be helpful. 


5.4. The ICO confirmed that it had been involved with the 
DCMS in preparation of an impact assessment identifying the 
cost (for the ICO) of implementing the GDPR. It was also 
noted that the GDPR obliged the government to provide a 
regulator with adequate funding and DCMS was aware of this. 
However, changes to the funding of the ICO needed primary 
legislation which depended on parliamentary time being 
available. 


5.5. In respect of the risk register Jane McCall had noted 
that many of the assurances were inputs rather than outputs 
(eg meetings did not necessarily mitigate risks), and 
mitigating actions needed to have a positive impact to help 
manage the risk. She also considered that in respect of 
resource planning the focus was on capacity rather than 
capability. 


6. Financial issues affecting the ICO 


October finance report 


6.1. Paul Arnold introduced the October financial report as 
the latest available. The November report is in preparation. 


6.2. The ICO was concerned about a reduction in the rate of 
increase of notification fee income over the summer. 
November receipts (and indications from early December) 
were stronger although income was below forecast year to 
date. The ICO was constantly monitoring the position and 
there were opportunities to both reduce and increase 
spending towards the year end depending on fee income 
actually received over the last few months. 


6.3. Paul Arnold reported that he did not know why the 
increase in fee income had dipped. The ICO had checked with 
data controllers who had let notifications expire but this had 
not indicated anything out of the ordinary. Paul Arnold also 
confirmed that the ICO did regularly chase expired 
notifications on a risk basis (ie organisations processing 
sensitive personal data, but given the recent dip it was 
undertaking 100% checks; following up by email and phone. 


6.4. It was confirmed that there was no danger of an over- 
spend. 


6.5. Paul Keane asked about whether the ICO would spend 
up to its capital allowance or not? Paul Arnold advised that 
most capital expenditure is IT related and is reviewed 
regularly. Expenditure was on track. 


6.6. The possibility of a budget underspend on legal advice 
was noted and the Committee questioned whether the money 
could be carried forward into next financial year. It was 
confirmed that to do this required an actual obligation, rather 
than intent, to pay. 


6.7. The Committee also asked whether or not DCMS had 
provided funding for work the ICO would have to undertake 
having taken on the Telephone Preference Service. The ICO 
confirmed that it had not. The £60k budget allocated was for 
legal costs arising from re-procuring the contract for the 
service. 


6.8. Sally Hanson identified and corrected an error in figures 
detailing civil monetary penalties collected figures. 


Fee forecasting and financial planning 


6.9. It was explained that the ICO had made a decision on 
its fee forecast for next year. This was option 2 of the paper 
which had been tabled at this meeting and had previously 
been to Senior Management Team. It was confirmed that this 
option was the original estimate for 2016/17 (BV1) plus 4%. 
The Committee noted the estimate and confirmed it was 
content. 


Funding of the grants and contributions scheme 


6.10. Following discussion at the last meeting the ICO 
presented ways of funding a proposed Grants and 
Contributions scheme. There was discussion as to whether or 
not surplus funding this financial year could be carried 
forward into next to help fund the scheme. There was on- 
going discussion with DCMS on this. The NAO considered that 
as things stood, without a formal commitment the money 
could not be accrued; normal accounting rules needed to be 
followed. 


6.11. It was considered unlikely that the scheme would be up 
and running this financial year, although it was suggested 
that a pilot scheme might be capable of being fast-tracked. It 
was also suggested that match funding could increase the 
impact of ICO expenditure. 


Action point 1: Paul Arnold to look further at the 
possibility of carrying forward surplus income from this 
to the next financial year to help fund the Grants and 
Contributions Scheme and to ensure that the NAO was 
content with any proposals. 


7. Outstanding audit recommendations 


7.1. Peter Bloomfield introduced the report on performance 
in clearing audit (internal and external) recommendations. In 
general recommendations were being acted upon to deadline. 
However, some of the recommendations arising from the 
recent finance review would be delayed by a month due to 
the need to make changes to the procurement management 
system. These changes needed to be tested, and be made at 
month end. Paul Arnold confirmed that an operational 
decision had been made to do this at the end of January. 


7:2. Whilst noting the reason, Audit Committee expressed 
the concern about the presentational aspect of deadlines set 
and agreed being missed 


Dd: Grant Thornton suggested that greater challenge from 
auditors, if they thought deadlines agreed to might be too 
tight, was needed. 


7.4. Paul Arnold confirmed that the final recommendations 
from the Cryptographic Controls review would be met. 


8. Internal audit 


Internal audit update 


8.1. Grant Thornton presented the report on progress 
against the internal audit plan 2016/17. The reviews of 
monetary penalties and cryptographic controls had been 
agreed and were tabled at this meeting. The IT asset 
management (phase 1) review was close to completion. In 
addition the data protection law reform review, stakeholder 
review and investigations review were in planning. 


8.2. The follow up review had originally been scheduled for 
January but following discussion with the ICO this would now 
be completed in February. The delay would allow more of the 
reviews to have been completed. 


Recovery of monetary penalties 


8.3. In respect of the audit of monetary penalties, Grant 
Thornton had not identified problems but had suggested 


improvements to the process relating to, in particular, the 
better sharing of data internally and of reporting. 


8.4. The Committee asked whether the ICO was aggressive 
enough in chasing monetary penalties. Simon Entwisle 
confirmed that the ICO had to be balanced in its approach 
but did aim to be as effective as possible. The introduction of 
director liability next year would represent an additional lever 
in helping the ICO collect monetary penalties. 


8.5. The Committee also asked whether dealing with delays 
in paying penalties was covered in the work flows the 
Committee had been presented with prior to the meeting. 


Action point 2: Peter Bloomfield to check the work 
flows and guidance and liaise with Enforcement as to 
whether action on delays in paying penalties was 
covered. 


Cryptographic controls 


8.6. In respect of this audit, Grant Thornton considered that 
processes had improved and were content with governance in 
the area. Audits take place and results are passed to 
managers. The audit was shown as amber purely because the 
audit had not, at that time, been completed. It had now been 
done and if the review had taken place later it would have 
been green. 


. External audit 


9.1. Alison Langridge introduced the audit planning report on 
the 2016/17 financial statement. It detailed how the audit 
was to be conducted, the timetable, fee and identified 
significant financial risks. The risks included the issue already 
discussed of the ICO being a going concern because of 
uncertainty over the implementation of the GDPR and the 
financial implications. The question was asked as to whether 
the NAO would be discussing the issue with the DCMS. Paul 
Keane advised that it was for the ICO to continue to raise 
with DCMS but that DCMS might be able to provide a letter of 
comfort if necessary. 


9.2. BDO asked the Audit Committee to consider the 
identified risks and to agree them. The Committee did so. 
9.3. BDO also asked the Committee if it had any knowledge 


of actual or suspected fraud the auditors needed to be aware 
of. The ICO and internal auditors confirmed a nil response. 


9.4. It was noted that the fee had reduced to £30k. 


10. Fraud, whistleblowing and security incidents 


10.1. The report providing an overview of fraud, 
whistleblowing and security incidents over the last quarter 
was presented for information. Whilst recognising the need to 
keep the report generally high level the Audit Committee 
requested the opportunity to look at some of the issues 
raised in more detail. 


Action point 3: Peter Bloomfield to arrange for 
someone to attend the next Committee meeting to 
provide more information. 


11. Any other urgent business 


11.1. There was no other urgent business. 


